RE: Command Authorization for show run

From: Church, Chuck (cchurch@netcogov.com)
Date: Thu Oct 14 2004 - 16:03:52 GMT-3

• Next message: Brian McGahan: "RE: Command Authorization for show run"
• Previous message: ccie2be: "Re: If all else fails, reboot"
• Next in thread: Brian McGahan: "RE: Command Authorization for show run"
• Maybe reply: Brian McGahan: "RE: Command Authorization for show run"
• Maybe reply: Kevork Belian: "RE: Command Authorization for show run"
• Maybe reply: chon_mon@nym.hush.com: "RE: Command Authorization for show run"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

It's not a bug. I believe it had something to do with the fact that a
router doesn't keep the running config in memory to show when needed.
When you do a 'sh run', it actually parses through all the various
interface, router, etc data structures, and builds it. This behind the
scenes work seems to require level 15 access itself. I don't remember
if there was a work around or not. Maybe someone on the list will
remember the fix, if it exists...

Chuck Church
Lead Design Engineer
CCIE #8776, MCNE, MCSE
Netco Government Services - Design & Implementation
1210 N. Parker Rd.
Greenville, SC 29609
Home office: 864-335-9473
Cell: 703-819-3495
cchurch@netcogov.com
PGP key: http://pgp.mit.edu:11371/pks/lookup?op=get&search=0x4371A48D

-----Original Message-----
From: nobody@groupstudy.com [mailto:nobody@groupstudy.com] On Behalf Of
JD Plant
Sent: Thursday, October 14, 2004 2:17 PM
To: CCIE Security Mailing List
Subject: Command Authorization for show run

Hey all,

I have noticed strange behavior every time i've used command
authorization to allow the show run command. Everything works great
with all the other commands at the same level.

The commands are configured properly for the per user command
authorization.

The show run command even executes successfully. The problem is the
output is empty, nothing but exclamation marks. I don't know if this
is a bug in command auth or what. Config and command output below:

R7#show run
Building configuration...

Current configuration : 13 bytes
!
!
!
!
end
R7#

**CONFIGURATION SNIPPET***
aaa new-model
        aaa authentication login vty group tacacs+ local
        aaa authorization exec vty group tacacs+ local
        aaa authorization commands 1 vty group tacacs+ if-authenticated
        aaa authorization commands 5 vty group tacacs+ if-authenticated
        aaa accounting exec vty start-stop group tacacs
        aaa accounting commands 1 vty start-stop group tacacs
        aaa accounting commands 5 vty start-stop group tacacs

tacacs-server host 175.1.2.3 key cisco

user lab7-telnet privilege 5 password cisco

line vty 0 4
        login authentication vty
        authori exec vty
        authorization commands 1 vty
        authorization commands 5 vty
        accounting exec vty
        accounting commands 1 vty
        accounting commands 5 vty

privilege exec level 5 show running-config
privilege exec level 5 ping

• Next message: Brian McGahan: "RE: Command Authorization for show run"
• Previous message: ccie2be: "Re: If all else fails, reboot"
• Next in thread: Brian McGahan: "RE: Command Authorization for show run"
• Maybe reply: Brian McGahan: "RE: Command Authorization for show run"
• Maybe reply: Kevork Belian: "RE: Command Authorization for show run"
• Maybe reply: chon_mon@nym.hush.com: "RE: Command Authorization for show run"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

This archive was generated by hypermail 2.1.4 : Sat Nov 06 2004 - 17:11:48 GMT-3